I am trying to follow the MacTeX-2012 instructions for migrating from (unsafe) shell-escape to using "restricted-shell-escape". But it is unclear to me what items to put in the file that specifies the "safe list" for this mode.

For example, if I remove shell-escape from my command line (or, disable it from the warning dialog in TeXShop), and try to use a package that requires it, like, for example, auto-pst-pdf I get an error:

"You need to run LaTeX with the equivalent of "pdflatex -shell-escape" Or turn off auto-pst-pdf."

I also notice that I get other warnings, even with this simple example, such as

"Package ifplatform Warning: Shell escape is disabled, so I can only detect \ifwindows"

and wonder if there is a way to avoid these, and the corresponding loss of functionality using "restricted-shell-escape" -- or at least find out what I'm missing without scanning the log.

What items do I need to add to my texmf.cnf to get auto-pst-pdf to work without enabling shell-escape? How, in general, do I determine what items should be in this list? Are there some things that will only work with the shell-scape flag, and not with "restricted-shell-escape"; how can I determine what those are?

The pdftex binary provided with the pretest version had a bug, which seems to have been corrected in the release version. Try the sample file you find in this message by Reinhard Kotucha which used to trigger the bug, but in my TeX Live 2012/Mac TeX works correctly. However this doesn't work (and never has) with XeTeX.
–
egregJul 21 '12 at 23:44

It's actually the hardwrap package that uses the shell-escape. (The hardwrap package is used by later versions of tufte-latex to word-wrap the log messages nicely.)
–
godbykJul 22 '12 at 0:55

@raxacoricofallapatorius: Can you post your complete .log file? It could be that we need to rework the logic in hardwrap or that there's an issue with your installation.
–
godbykJul 22 '12 at 4:36

@raxacoricofallapatorius I don't know why you have the buggy version of pdftex; but the production date your pdflatex format is before the release date of TeX Live, so it seems that you have the pretest version of the binary. Run TeX Live Utility and update all.
–
egregJul 22 '12 at 7:00

1 Answer
1

I would avoid modifying the list of programs allowed to run in the restricted shell. These are either programs that don't write out any output (and when output redirection is requested they don't work in the restricted shell escape setting) or respect the openout_any setting in texmf.cnf.

As far as the present problem is concerned, running pdflatex with shell escape enabled on the file filename.tex consists in using the command line

pdflatex -shell-escape filename

(no quotes).

How to setup a front-end to run this command depends on the front-end itself. With TeXShop, for example, one can define a new engine. In your ~/Library/TeXShop/Engines folder duplicate XeLaTeX.engine and call it pdflatexshell.engine. Modify the file (with TeXShop itself) to read

So basically, one should just run shell-excape when needed, rather than enable specific programs? That seems like a not-so-optimal solution, since instead of picking a few programs to always allow, one ends up occasionally (perhaps frequently) allowing all programs.
–
raxacoricofallapatoriusJul 25 '12 at 21:04

1

@raxacoricofallapatorius If the document comes from an untrusted source, run it without shell escape and look for system in the log file to see what it attempted to do during compilation.
–
egregJul 25 '12 at 21:34

I'd still be curious: what program would I need to add to the list (on OS X) to get auto-pst-pdf to work without shell-escape? Adding gs doesn't seem to do the trick.
–
raxacoricofallapatoriusJul 30 '12 at 23:05